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(57) Abstract: A method of responding to an infonnation technology related 
incident The method having the steps of receiving a security alert (54), the se- 
curity alert being displayed on an incident response and investigation system 

(58) for analysis by an administrator, documenting the incident (56) based on 
information contained in the security alert; opening an investigation file (64) 
to adnunistratate investigation of the incident; collecting items of electronic 
evidence and maintaining the evidence in an electronic evidence database as- 
sociated with the investigation file (66). An incident response and investigation 
system is also disclosed. The system having an incoming security alert admin- 
istration function for receiving and analyzing security alert, each security alert 
containing information related to an event (106), the event being related to an 
information technology policy of an organization; an incident administration 
function for creating an incident file to document the event; and an investi- 
gation administration function for administering an investigation of the event 
documented in the incident file (158). 
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INFORMATION TECHNOLOGY INCIDENT RESPONSE AND INVESTIGATION 

SYSTEM AND METHOD 

This application claims priority form copending U.S. provisional application serial 
number 60/156,912, filed October 1, 1999, entitled, "SCORPIAN (Secure Corporate 
Investigations Automation)", incorporated herein by reference in its entirety. 

TECHNICAL FIELD 

The present invention generally relates to information technology and, more 
particularly, to a system and method for tracking, responding to and investigating incidents 
involving of information technology policy. 

BACKGROUND ART 

There is an ever present demand for information technology security tools and 
techniques for protecting against, detecting and responding to incidents involving potentially 
criminal and other types of culpable behavior. Information technology, as used herein, relates 
to the collection, organization, handling, storage and communication of information, such as 
data, computer files, algorithms, executable code and instructions, data packets, documents, 
electronic mail ("e-mail") and the like (collectively referred to below as electronic 
information or electronic documents). Information technology generally refers to electronic 
media used in connection with a computer or computer network, but is not limited thereto. 

Most organizations, firms, companies, government agencies and institutions have 
policies, standards, procedures, rules and regulations concerning the behavior of their 
employees, staff members, volunteers, service providers and third parties. These policies 
may relate to matters including information technology security policies, standards and 
procedures, corporate espionage, sexual harassment, discrimination, fraud, embezzlement and 
the like. These entities are also concerned with civil or criminal actions that may be brought 
against the entity for causes of action ranging from insider trading to wrongful termination. 
In addition, local, state and federal laws and government agency regulations may govern 
people's conduct. 
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Presently, computers are used by persons who may violate an organization's policies, 
a criminal law or regulatory rule, or may be used to engage in wrongful conduct presenting 
the organization with a civil remedy. The use of a computer during the commission of these 
activities may leave evidence in the form of computer logs, files, e-mail and the like. 
5 Alternatively, computers may be used in such a way to leave evidence useful in the defense of 
a criminal or civil action brought against the organization. 

To date, information security tools have focused on protection against and the 
detection of computer related threats. Common protection schemes include establishing 
information technology protocols, isolation techniques (e.g., the establishment of firewalls), 
10 access limitations (e.g., password control and parental Internet control) and the use of 

encryption. Detection schemes include hacking detection algorithms, e-mail parsing and 
content filtering, security sweeps and human reporting (e.g., "whistle-blowing"). 

However, very little attention has been given to automating the response to and the 
investigation of an incident which potentially violates one or more of the foregoing 
15 regulations and/or requires the analysis of electronic documents. Therefore, there exists a 
need in the art for an information technology incident response and investigation tool. 



SUMMARY OF THE INVENTION 

According to one aspect of the invention, the invention is a method of responding to 
an information technology related incident. The method having the steps of receiving a 

20 security alert, the security alert being displayed on an incident response and investigation 
system for analysis by an administrator; documenting the incident based on information 
contained in the security alert; opening an investigation file to administrate an investigation 
of the incident; and collecting items of electronic evidence and maintaining the evidence in an 
electronic evidence database associated with the investigation file. 

25 According to another aspect of the invention, the invention is an incident response and 

investigation system. The system having an incoming security alert administration function 
for receiving and analyzing security alerts, each security alert containing information related 
to an event, the event being related to an information technology policy of an organization; an 
incident administration function for creating an incident file to document the event; and an 
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investigation administration function for administering an investigation of the event 
documented in the incident file. 

• 

BRIEF DESCRIPTION OF DRAWINGS 

These and further features of the present invention will be apparent with reference to 
5 the following description and drawings, wherein: 

FIG. 1 is a block diagram of an incident response and investigation system; 

FIG. 2 is a flow chart of the general operation of the incident response and 
investigation system; 

FIG. 3 is a flow chart of an incoming security alert administration function of the 
1 0 incident response and investigation system; 

FIG. 4 is a graphical illustration of an interactive display for the incoming security 
alert administration function; 

FIG. 5 is a flow chart of an incident administration function of the incident response 
and investigation system; 
1 5 FIG. 6 is a graphical illustration of an interactive display for the incident 

administration function; 

FIG. 7 is a flow chart of an investigation administration function of the incident 
response and investigation system; 

FIG. 8 is a graphical illustration of an interactive display for the investigation 
20 administration function; 

FIG. 9 is a flow chart of a digital notary function of the incident response and 
investigation system; and 

FIG. 10 is a graphical illustration of an interactive display for an information 
technology policy administration function of the incident response and investigation system. 

25 DISCLOSURE OF THE INVENTION 

In the detailed description which follows, identical components have been given the 

« * 

same reference numerals, regardless of whether they are shown in different embodiments of 
the present invention. To illustrate the present invention in a clear and concise manner, the 
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drawings may not necessarily be to scale and certain features may be shown in somewhat 
schematic form. 

Referring to FIG. 1, a block diagram of an incident response and investigation system 
10, or simply the system 10, is illustrated. As used herein, the term incident is intended to 
5 include, but is not limited to, any activity relating to the potential breach of one of the 

policies, procedures, rules, laws or regulations mentioned in the background section above. 
Briefly, the system 10 is a computer tool having a graphical user interface to assist an 
information technology security administrator to securely create and maintain databases for 
security alerts, incidents, investigations, electronic evidence, reports, and information 

1 0 technology policies. 

The system 10 includes a computer system 12. The computer system 12 has a 
processor 14 for executing instructions, usually in the form of computer code, to carry out a 
specified logic routine and a memory 16 for storing data, software, logic routine instructions, 
computer programs, files, operating system instructions, and the like. The memory 1 6 can 

15 comprise several devices and includes, for example, volatile and nonvolatile memory 

components. Volatile components typically do not retain data values upon a loss of power. 
Nonvolatile components retain data upon a loss of power. Thus, the memory 16 can be, for 
example, random access memory (RAM), read-only memory (ROM), hard disks, floppy 
disks, compact disks (including, but not limited to, CD-ROM, DVD-ROM and CD-RW), 

20 tapes, and/or other memory components, including drives and players for these memory 
types. 

The processor 14 and the memory 16 are coupled to a local interface 18. The local 
interface 1 8 can be, for example, a data bus with an accompanying control bus, or a network 
between a processor and/or processors and a memory or memories. The computer system 12 
25 also has a video interface 20, a number of input interfaces 22, a modem 24, a number of 
output interfaces 26, each being coupled to the local interface 1 8. 

The system 10 also has a display 28 coupled to the local interface 1 8 via the video 
interface 20. Although shown as a cathode ray tube (CRT), the display device may 
alternatively be, for example, a liquid crystal display (LCD), a plasma display, an electro- 
30 luminescent display, indicator lights, or light emitting diodes. In addition, the system 10 has 
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several input devices, including, but not limited to, a keyboard 30, a mouse 32, a microphone 
34, and a scanner 36, each being coupled to the local interface 18 via the input interfaces 22. 
The modem 24 is coupled to an external network 38 enabling the computer system 12 to send 
and receive data signals, voice signals, video signals and the like via the external network 38 
5 as is well known in the art. The external network 38 may be, for example, the Internet, a 
wide area network (WAN), a local area network (LAN), direct data link or other similar 
network. It is noted that the system 10 can be accessed and used by a remote user via the 
external network 38 and modem 24. The system 10 can also include output devices coupled 
to the local interface 1 8 via the output interfaces 26, such as audio speakers 40, a printer 42, 
10 and the like. 

The computer system 12 is programmed to display and execute an automated incident 
response and investigation software tool in graphical user interface (GUI) format. 
Alternatively, the computer system has logic stored in the memory 16 capable of being 
executed to display and function as the automated incident response and investigation :? . 
15 software tool. 

With additional reference to FIG. 2, a general operational logic 50 of the system 10 
and associated software tool is illustrated. Upon the detection of an incident in step 52, an 
alerting source (not illustrated) will generate a security alert and relay the security alert to the 
computer system 12 for processing. It is noted that the alerting source can be an individual, 

20 an individual using a device or an automated device. If the alerting source is an automated 
device, the alerting source will generally be separate from the system 10. 

Persons, such as employees, human resource professionals, legal counselors, law 
enforcement officials, and members of another organization or company, may notice or 
become aware of an incident. The person may elect to send a security alert directly to the 

25 system 10. Alternatively, the person may elect to notify a superior or a system 10 

administrator who sends the security alert to the system 10. Security alerts can be presented 
to the system 10 in a number of ways, including direct entry using the computer systems' s 10 
input devices, e-mail, entering information in a web page (using, for example, hypertext 
transfer protocol, or HTTP), pressing an alarm button, and the like. It is noted that e-mails 

30 can be addressed to the system 10 using an anonymous e-mail tool, and internet or intranet 
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alerts can also be sent to the computer system 10 via anonymous electronic transmission. 
Should the author of the e-mail specify that the e-mail containing the security alert is to be 
sent anonymously, an e-mail logic routine will strip or modify any headers identifying the 
source of the e-mail before delivery to the system 10. 
5 Security alerts can also be presented to the system 10 by an automated or semi- 

automated detection device configured to detect a potential incident in real time. Example 
detection devices include software tools and firewalls programmed to detect certain activities, 
such as the downloading of pornography, suspicious financial transfers, and the hacking of a 
computer system. Upon the detection of an incident, the detection device will configure a 
10 data packet and send the data packet to the system 10 to alert the system 10 of the incident. 
The data packet can be in a variety of formats including an e-mail or codes to be interpreted 
by the system 10. 

In step 54, the system 10 receives the security alert from either an external source as 
described above via the modem or by direct entry using the input devices, such as the 

15 keyboard 30, mouse 32 and/or microphone 34. Speech received via the microphone 34 can 
be converted into text using a voice recognition application. 

In an alternative configuration, the security alerts are initially sent to an alert 
processing system that is separate from the system 10. The alert processing system can 
conduct some preliminary analysis of the security alerts, consolidate alerts relating to the 

20 same incident, eliminate duplicate alerts, filter the alerts, prioritize the alerts, temporarily 

store alerts and/or attend to the security alert in the manner of the system 10, especially when 
the system 10 is unattended. The alert processing system can be staffed by a person at all 
times and can be configured to receive alerts for multiple entities having the system 10, 
thereby alleviating ftdl-time staffing of the system 10. Once security alerts are processed by 

25 the alert processing system, the alert processing system 10 sends a secure security alert or 
alerts to the system 10 for further attention by the system 10 administrator as described 
herein. 

Security alerts received by the system 10 are documented and subsequently managed 
using an incoming security alert administration function as will be described in more detail 
30 below with respect to FIGS. 3 and 4. 
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Using an incident administration function, a system 10 administrator documents 
incidents related to incoming security alerts in step 56. The user can configure an incident 
file for each incoming security alert or can group security alerts as being related to one 
incident and configure an associated incident file. The documentation and subsequent 
5 management of incident files will be discussed in more detail below with respect to FIGS. 5 
and 6. 

Each incident file is reviewed, either through programming of the system 10 or by 
human analysis, to determine if an investigation should be opened to examine the incident in 
greater detail (step 58). Although each incident file may not be investigated, the incident files 

1 0 will remain as historical documentation of the incident. A set of criteria can be established to 
determine whether the incident should be investigated. For example, certain alerts generated 
by a firewall may not require further attention, but an e-mail containing certain accusations 
may be automatically flagged as warranting investigation. If an investigation is not 
warranted, the incident file will become dormant and the system will await new security 

1 5 alerts. The identity of the person(s) tasked with deciding whether an investigation is 

warranted may be restricted to selected individuals and validated with the use of a password 
protection scheme or a digital signature scheme. 

If an investigation is warranted based on the nature of the associated incident in step 
58, the system 10 can be configured to not proceed unless approval to open the investigation 

20 is granted by at least one person in a position of proper authority (step 60). The system 10 
can be configured to require approval for all potential investigations or just certain types of 
investigations. If approval is not required or if approval is required and granted (step 62), the 
system 10 will open, or document, an investigation file using an investigation administration 
function in step 64. If approval is required and not granted in step 62, the associated incident 

25 file will become dormant and the system will await new security alerts. As a safeguard, the 
system 1 0 can be configured to require more than one person's approval to open an 
investigation based on an incident file. In addition, the identity of the person(s) tasked with 
granting investigation approval may be validated with the use of a password protection 
scheme or a digital signature scheme. 
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The documentation and subsequent management of investigation files using an 
investigation administration function of the system 1 0 will be discussed in more detail below 
with respect to FIGS. 7 and 8. It is noted that investigations may also be opened for events 
which do not spawn a security alert or an incident file. For example, if a lawsuit is brought 
5 against a corporation using the system 10, the corporation may be interested in analyzing 
information technology matters potentially related to the lawsuit. In this instance, the 
features of the investigation administration function may be useful to the corporation and an 
investigation file may be opened by bypassing steps 52 to 56. 

The administration of an investigation file includes various tasks which can be 

1 0 automated, at least in part, using the investigation administration function of the system 1 0 
(step 66). For example, the administration of an investigation file can include alerting 
individuals and/or organizations that make up a response team tasked with reacting to the 
incident and conducting the investigation. 

The investigation administration function is also capable of opening an evidence 

1 5 database for each investigation file. It is noted that the evidence database for each 

investigation file is logically or physically separated from every other investigation's 
evidence database to assist in preserving the integrity of the evidence databases. The 
evidence database for each investigation file may contain a catalog of physical evidence 
items. The evidence data is also a repository for electronic copies of electronic files that have 

20 been copied or confiscated during the investigation. The electronic files can be any type of 
file in computer readable format, including but not limited to e-mail files, firewall logs, word 
processing or spreadsheet documents, logs from computer forensic tools, and specific 
computer program application logs. Part of the evidence collected will usually include the 
original security alert(s) received in step 54. 

25 The administration of an investigation file can also include digitally notarizing 

selected pieces of electronic evidence. Digital notarization techniques are known in the art 
and include the digital authentication system described in U.S. Patent No. 5,781,629, 
incorporated herein by reference in its entirety. As will be discussed in more detail with 
respect to FIG. 9, digital notarization of electronic files provides a reasonably secure means 

30 of subsequently verifying the contents of a particular electronic file at the time of 
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notarization. This record may be desirable to help validate the electronic evidence at a later 
date. For example, the digital notarization may assist a witness in authenticating a particular 
electronic file to enhance the admissibility of the electronic file into evidence during a legal 
proceeding. 

5 It is noted that the system 1 0 can be used to create a database separate from any 

investigation. Separate databases can be used to maintain a library of electronic documents 
related to a certain project, corporate department and the like. The electronic documents 
contained in the database can also be notarized using the digital notary function. 

In addition to the incoming security alert administration function, the incident 

10 administration function and the investigation administration function, the system 10 is 

provided with an information technology policy administration function. At any point during 
the use of the system 10, the system 10 administrator can use and consult the information 
technology policy administration function. The information technology policy administration 
function will be discussed in more detail below with respect to Fig. 1 0. Briefly, the 

15 information technology policy administration function is a repository of form templates, 

security policies for the organization, and guidelines and checklists to be followed during an 
investigation or before an investigation is opened. The information technology policy 
administration function also has administration functions related to the foregoing repositories 
of files. 

20 The foregoing aspects of the system 10 will be discussed in more detail below. As 

will be apparent to one skilled in the art, the system 10 is a tool for an organization to 
automate incident response and investigation activities and provides a secure platform for 
investigators to share information and conduct analysis of accumulated data for current and 
past incidents and investigations. 

25 Since the system 10 has a variety of database and documentation features, it is 

desirable that the incident response and investigation software tool of the system 10 be built 
on a database and document management platform to provide the user with additional 
features and functions inherent to the underlying platform. An example of such a platform is 
LOTUS NOTES available from Lotus Development Corp., 55 Cambridge Parkway, 

30 Cambridge, MA 02142. 
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In addition, the incident response and investigation software tool preferably provides a 
graphical user interface to the system 10 administrator for carrying out the functions of the 
general operational logic 50 as illustrated in FIG. 2 and the additional functions and features 
discussed below. As is known in the art, the GUI includes a menu bar disposed across the top 
5 of the display 28 having a series of pull down menus from which the system 10 administrator 
can choose various features of the database and document management platform and/or the 
incident response and investigation software tool. As is appropriate, the GUI will also have 
pop-up menus to illustrate selection choices when a certain feature is selected, scroll bars 
allowing the user to navigate through a displayed window, drop-down menus which drop 

10 down from the menu bar or other selected area, and content sensitive menus for highlighting 
options available or unavailable to the user depending upon the context of the selected 
content sensitive menu. 

Referring to Fig. 3, an incoming security alert administration function logic 100 is 
illustrated. The logic 100 starts in step 102 by receiving a security alert. As discussed above, 

1 5 the alert can be an incoming electronic mail message or a data message sent by a computer or 
software tool over the external network 38 and into the computer system 12 via the modem 
24. Alternatively, the security alert can be received by direct entry into the computer system 
12 via the keyboard 30, the mouse 32, the microphone 34, or other input device. 

With additional reference to Fig. 4, when a security alert is received, the system 10 

20 will send an incoming alert indication to an incoming alert administrator in step 106. The 

incoming alert indication can be in the form of one or more of an audible sound, flashing light 
or display 28 screen icon, an alphanumeric page sent to a personal pager, an electronic mail, 
facsimile or the like. The incoming alert indication is intended to provide an indication to the 
administrator that a security alert has been received and is awaiting attention. The incoming 

25 alert indication can be sent to one or more persons. The incoming alert indicator can be sent 
to a selected individual, or individuals, based on the type of security alert, the source of the 
alert, or the individual's expertise or responsibilities. 

Also in step 106, the incoming security alert is displayed on an incoming security alert 
display screen 104. The alerts are displayed as line items 108 on the display screen 104. 

30 Each line item contains an indication of the status and/or source of the security alert, the date 

10 
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and time the alert was received by the computer system 12, or alternatively, the data and time 
of the incident for which the security alert relates to, and subject matter of the alert. Each 
alert displayed as a line item 108 can be opened into a viewing window (not shown) to 
display more information related to the security alert or the content of a message contained 
5 within the security alert. The alert can be opened, for example, by directing a mouse pointer 
109 displayed on the display 28 with the mouse 32 to the desired line item 108 and clicking a 
mouse 32 button to select the security alert associated with the line item 108. This action can 
directly open the security alert into the viewing window or specify which of the line items 
108 the system 10 is to open following the selection of an action button, such as a review 

10 document button 110 used to open the security alert into the viewing window. 

Once a security alert is opened in the viewing window, the system 1 0 administrator 
can analyze the security alert to determine the nature of the incident reported by the security 
alert (step 106). In step 112, the system 10 administrator will then decide whether to take 
action on the security alert. As a safeguard, more than one person may be required to 

15 determine whether to take action based on the security alert. Alternatively, the decision 

making process can be automated and based on information contained in the security alert or 
the source of the security alert. If a decision is made not to take action in step 1 12, the alert 
will be stored in the memory 16 in a no action taken log (step 1 14). If, however, action is to 
be taken in step 1 12, the system 10 administrator will proceed as desired, preferably 

20 following established information technology security procedures (step 116). 

Example actions in step 116 include opening an incident file using the incident 
administration function. The incident administration function will be discussed in more detail 
below. An incident file may be created by selecting an open new incident file button 118 
appearing on the incoming security alert display screen 104. Selection of the open new 

25 incident file button 118 will link the user to a display screen specified by the system 10, such 
as the incident administration function or an incident file viewing/editing window. 

Other action in step 116 can include associating the alert with an existing 
investigation file or incident file, should the alert contain information related to an existing 
incident file or investigation file. A security alert can be associated with an incident file or an 

30 investigation file by selecting an associate alert button 120 appearing on the incoming 
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security alert display screen 104 and specifying the target incident file or investigation file. 
Once action has been taken on a security alert, the security alert and the action taken is stored 
in the memory 1 6 in an action taken database (step 122). 

With continued reference to Fig. 4, the user can select among view buttons 124 
5 displayed on the incoming security alert display screen 104 to select among new security 

alerts (i.e., received but unprocessed security alerts), security alerts saved in the action taken 
database and security alerts saved in the no action taken database. The incoming security 
alert display screen 104 is also provided with link buttons 126 so that the user can select 
among the various administration functions of the incident response tod investigation 
10 software tool, including the incoming security alert administration function, the incident 
administration function, the investigation administration function, and the information 
technology policy administration function. Although not illustrated, the link buttons 126 can 
have graphical icons to represent the destination of the link. 



15 and, with additional reference to Fig. 6, an incident administration display screen 154 is 

illustrated. If a new incident file is to be opened (step 152), the system 10 administrator can 
select an open new incident file button 156 to access an incident file viewing window (not 
shown). It is noted that the create incident file button 1 1 8 on the incoming security alert 
display screen 104 (FIG. 4) invokes similar operation to the button 156. The following 

20 incident file creation and documentation procedure is conducted in step 158 of the incident 
administration function logic 150. 

The incident file viewing window will contain information relating to the incident at 
hand and/or fields to be populated with information relating to the incident. This information 
can include an incident identification number which is either selected by the system 10 

25 administrator or automatically determined by the system 10. The information also includes 
an incident name, such as website hacked, falsified expense account, or harassing e-mails. 
The incident file will also identify employees involved or suspected to be involved in the 
incident, the information source of the security alerts, and which personnel has responsibility 
to act upon the incident. The information also includes an incident status, including new 

30 incident, incident awaiting approval, investigation approved, investigation denied, under 



Referring now to Fig. 5, an incident administration function logic 150 is illustrated, 
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investigation, and incident resolved. If the incident has been approved for investigation, 
denied for investigation, or resolved, an associated approval date, denial date or resolution 
date may also be placed in the incident file. The incident may also be assigned a priority such 
as an emergency, high priority, normal priority, or low priority. The incident may also be 
categorized such as computer intrusion, employee conduct or the like. Subcategories may 
also be specified, such as internal threat, external threat, potential criminal conduct, violation 
of company regulations and the like. The incident file may also contain an incident 
description containing text entered by the system 10 administrator with any information 
related to the incident. The incident file may also contain a list of incident events and any 
additional comments, notes or conclusions. 

The incident file can be read and write access controlled using password or digital 
signature schemes. Accordingly, the incident file will contain information related to those 
with read access and those with write access (those with the ability to edit the incident file). 
The incident file will also contain data on when the incident file was created and by whom, 
and will contain information on when the incident file was modified and by whom. 

Once an incident file has been opened, the decision to open an investigation is 
conducted in step 160. Step 160 relates to steps 58 through 62 illustrated in Fig. 2 and 
discussed in more detail above. Therefore, the decision process of whether to open an 
investigation will not be discussed in detail at this point. However, the system 10 
administrator can access an investigation approval routing form by selecting an approval 
button 165 displayed on the incident administration display screen 154. The investigation 
approval routing form can be transmitted to those in charge of deciding whether to open an 
investigation. The form can be signed with pen and ink, approved using a password or digital 
signature, or denied using the same methods. If an investigation is not opened, either because 
an investigation is not warranted or an investigation has been denied, the incident file will be 
stored in an incident file database in step 162 for review at a later date, if desired. If an 
investigation is to be opened, the system 10 administrator can select an open investigation 
button 164 displayed on the incident administration display screen 154. The open 
investigation button 164 will serve as a link to the incident administration function as will be 
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described in more detail below. The system 10 will lock the system 10 administrator's ability 
to open an investigation if approval has not been granted. 

The content of a selected incident file may be updated in step 166, such as changing 
the incident file priority, incident file status, adding description details, and so forth. The 
incident file can be accessed for revision by selecting an edit button 168 displayed on the 
incident administration display screen 154. If the incident file is password protected under 
the write access control, the user will be prompted to enter a valid password or digital 
signature after selecting the edit button 168. The incident administration function will also 
allow a person with read access privileges to review an incident file by selecting a review 
button 170. 

Searches of the incident file database for a particular incident or incidents having a 
particular item in common can be searched for using a search tool accessed by pressing the 
search button 172. To assist in searching, the incident administration function logic 150 can 
also be provided with an indexing tool so that the system 10 administrator can associate 
incident files with selected search terms. 

The incident administration function also allows for the generation of reports (step 
173). For example, a report can be generated providing details of a particular incident file by 
selecting a create incident report button 174. An incident report content selection window is 
then displayed for the system 10 administrator to select which items of information contained 
in the incident file are to printed or displayed. Alternatively, the reports may be generated 
based on more than one incident, for example, statistical reports highlighting the number of 
incidents in a particular incident category or assigned to a certain status, and reports 
highlighting trends or other correlated data. This type of report can be generated by selecting 
a create executive report button 176 displayed on the incident administration display screen 
154. 

The incident administration display screen 154 displays selected incident files as line 
items 178. Each line item 178 can be displayed under a heading 179 relating to the status or 
priority of the associated incident file. Each line item 178 can contain items of information, 
such as an incident name, incident identification number, date created and by whom, and so 
forth. Each heading 179 can also contain information, such as the number of incident files 



14 




WO 01/25935 



PCT/US00/14992 



under the heading 1 79 and the percentage of incident files under the heading as a function of 
all the incidents. 

The incident administration display screen 154 is provided with view buttons 180 to 
select different views, such as all of the incident files categorized under status headings, 
5 priority headings, or category headings, new incidents, all incidents waiting to be approved, 
all approved incidents, all denied incidents, all incidents under investigation, and all resolved 
incidents. If the incident files are displayed under a heading 179, the heading 179 may be 
provided with an expand or contract button 184, as is well known in the art, to select between 
displaying the incidents under the heading 179 or not displaying the incidents under the 
10 heading 179. Link buttons 126 (described above) may also be provided as part of the incident 
administration display screen 154. 

Each time an incident file is opened or modified, the incident administration function 
logic 150 will store or update the incident file in step 186. 



15 illustrated for the incident response and investigation system 10 and, with additional 

reference to Fig. 8, an investigation administration display screen 206 is illustrated. Upon the 
opening of an investigation file in step 202, an investigation documentation window is 
displayed to the operator (not shown) for providing information to document the investigation 
file in step 204. The investigation documentation window can be accessed by selecting an 

20 open investigation file button 208 or open investigation file button 164 (FIG. 6). It is noted 
that an existing investigation file can be reviewed by selecting a review investigation file 
button 210 or edited by selecting an edit investigation file button 212. The buttons 208, 210 
and 212 can be provided with the security lock-out and read/write access features discussed 
above (i.e., approval requirements, password requirements, etc.). 

25 Each investigation file contains information such as an investigation identification 

number, an investigation name, employees or other persons who are the subject of the 
investigation, and the source or sources of information relevant to the investigation, including 
persons to be interviewed and equipment to be analyzed. The investigation also contains 
information related to the investigator or investigators and any sub-teams or specialists to be 

30 involved with the investigation. The investigation file also contains information regarding 



Referring now to Fig. 7, an investigation administration function logic 200 is 
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the investigation status, such as open or closed. The priority of the investigation is also 
contained in the investigation file, such as emergency, high, normal or low priority. The 
investigation file may be assigned an activity state such as active, idle, on hold or closed. 
Investigations may also be categorized, such as computer intrusion, employee conduct, and 
the like. Investigations may also be sub-categorized. Example sub-categories for a computer 
intrusion category would include internal threat, external threat, and so forth. 

The investigation file includes an investigation description containing general 
information pertaining to the investigation. In addition, the investigation file contains a 
section for significant investigation events which will be completed as the investigation 
progresses. A section for comments, notes and conclusions is also provided. A section for 
investigation characteristics and classifications can be provided to provide for additional 
elaboration on non-technical characteristics of the investigation, such as remarks related to 
insider assistance of an external computer intrusion threat. 

The investigation file provides for a number of technical classifications such as 
technology type, including various items of software and/or hardware. Technical 
classifications also include technological function such as an electronic mail gateway or 
firewall. Technical classifications also include any computer environments affected, the 
vendors of software and hardware which may be affected, the operating systems that may be 
affected, computer programs, applications and application servers potentially involved in the 
incident generating the investigation, and middle-ware or other software related to the 
investigation. 

The investigation file also includes read and write access controls similar to those 
described above for incident files. Finally, the investigation file includes documentation of 
who opened the investigation file and when, and who has modified the investigation file and 
when those modifications were made. 

Once an investigation file has been opened, it may desirable to inform certain 
individuals, or groups of individuals, that an incident has occurred and an investigation is 
currently pending to study the incident. The system 10 administrator may send an alert in 
step 214 (Fig. 7) by selecting an alert button 216 (Fig. 8). Upon selecting the alert button 
216, the system 10 will display an alert window (not shown) on the display 28. The alert 



16 



WO 01/25935 



PCTYUS00/14992 



window will allow the user to select the recipients of the alert by either specifying the 
recipients or selecting among groups of pre-defined recipients. The pre-defined groups 
include a steering committee consisting of a group of persons internal to the organization and 
typically including high-level managers or decision makers. The groups also include a 
response team which is usually an internal group of persons related to the organization and 
includes people with technical skill to coordinate and carry out a response to the incident and 
conduct the investigation. The groups also include an emergency response team made up of 
either internal or external persons having a very high skill level to address the incident at 
hand and/or resources to respond very rapidly to the incident. The groups also include 
authority personnel, such as a human resources department, internal security and/or external 
law enforcement. External law enforcement includes local police departments and the 
Federal Bureau of Investigations (FBI) who can be notified if the situation may require the 
assistance of these authorities or if their knowledge of the incident is desired. 

The alert window can be used to select all or some of the individuals previously 
defined as being part of the selected group. The investigation identification number is also 
associated with the alert and any other additional instructions or comments to be sent to the 
alertees. The system 10 administrator can also select how the alertees are to be informed of 
the incident and pending investigation. Alert methods include sending an alpha-numeric 
page, sending an e-mail, telephoning the alertee, personally visiting the alertee, and the like. 
In an alternative arrangement, an alert can be generated upon the identification of an incident 
without waiting for an investigation file to be opened. This is useful in situations where time 
may be of the essence. 

With continued reference to Figs. 7 and 8, an electronic evidence database can be 
created for the investigation (step 218). The evidence database is a repository for any 
electronic documents related to the investigation including, but not limited to, e-mails, e-mail 
server logs, firewall logs, documents, contents of hard drives, application files such as word 
processing documents and spreadsheets, and any other information saved on computer- 
readable media. The electronic documents can also include paper documents which have 
been scanned by the scanner 36 and stored on the memory 16. 
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The evidence database can be created by selecting a create evidence database button 
220 on the evidence administration display screen 206. Upon selecting the create evidence 
database button, an evidence window (not shown) will be displayed on the display 28. The 
evidence entered into the database can be categorized and displayed by status such as analysis 
5 pending, notarization, notarized and awaiting analysis, analyzed and not notarized. More 

specifically, each item of evidence is listed in line items under a status heading. The evidence 
may also be displayed by category or type of evidence, by author, or a listing of all 
documents. For convenience, the evidence items may be indexed and searchable. The 
evidence database can also store and display comments related to selected items of evidence. 

1 0 The evidence display window can include buttons which link the user to evidence 

administration tools (step 219), such as a comment on evidence button and respond to 
comment button for respectively documenting comments on a certain piece of evidence and 
entering a response to those comments. A new evidence button may also be provided to enter 
a new piece of evidence into the evidence database and key in related information, such as the 

1 5 date the evidence was seized, a title for the evidence, the person seizing the evidence, and the 
person, device or software thought to have created the evidence. 

A digital notary button is also provided so that, once an evidence item is entered into 
the evidence database, the item can optionally be digitally notarized to create a record of the 
contents of the evidence item at the time of notarization (step 220). Digital notarization 

20 techniques are known in the art and include the digital document authentication system 
described in U.S. Patent No. 5,781,629, incorporated herein by reference in its entirety. 

Referring to FIG. 9, an example flow chart for a digital notary function logic 222, is 
illustrated. Briefly, the digital notarization function includes creating a fingerprint of the 
electronic document (step 224). The fingerprint is usually created by sampling selected 

25 portions of the document and storing those sections in a separate file. Next, the fingerprint is 
transmitted to a notary function (step 226). The notary function is resident either in the 
computer system 12 or on a separate computer system connected to the computer system 12 
via the external network 38. The fingerprint is time-stamped by the notary function (step 
228). The time-stamped fingerprint is appended with hash codes which typically are derived 

30 from the fingerprint, time-stamp and/or other unpredictable data values (step 228). The 
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fingerprint, time-stamp and hash values are assembled into a notary record which is logically 
associated with the original electronic document (step 230) and stored in the memory 16 (step 
232). 

Referring back to FIGS. 7 and 8, the evidence administration functions of the system 
5 10 include an electronic mail analysis function (step 238). The electronic mail analysis 
allows the system 10 administrator to specify a list of keywords by entering the words or 
making menu selections. Once the keywords are entered and/or selected, the system 10 
administrator can identify a group of electronic mail documents. Then, system 10 will search 
the group of electronic mail documents for any appearance of the keywords in the electronic 

10 mail documents. Once the system 10 has identified any target e-mails containing any of the 
specified keywords, the system 10 will transfer the target e-mails, or a copy of the target e- 
mails, to an appropriate electronic evidence database. 

The investigation administration function logic 200 is programmed to include various 
investigation administration functions in step 238. The investigation administration functions 

15 include creating activity documents by selecting a create activity document button 240 in the 
investigation administration display screen 206. Activity documents include tasks for the 
investigators to perform, calendars, a collection of investigation target dates, time-lines of 
suspected activity related to the incident, outstanding and/or completed investigation tasks' 
and reports of activities yet to be completed. 

20 In addition, documentation related to an investigation may be generated, displayed 

and printed. The investigation administration function step 238 also provides for the 
generation of investigation reports, including high-level executive reports to chart trends and 
correlate various data. For complicated investigations, the investigation may be broken down 
into more manageable sub-investigations. Each sub-investigation can be managed using the 

25 same tools and functions as described herein for investigation files. 

By selecting a team setup button 242, the system 10 administrator can set up teams 
and sub-teams of investigators and/or define the members of the alert groups discussed above. 
In addition, each investigation may be associated with various indexed terms using an 
indexing tool accessed with an index button 244 to create a searchable database using a 

30 search tool accessed with a search button 246. 
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Each investigation can be displayed on the investigation administration display screen 
206 as a line item 248 under headings 249. The line items 248 can be arranged under various 
categories such as the priority of the investigation, the activity state of the investigation, the 
investigator, or by investigation category by selecting one of various investigation view 
5 buttons 250. Each line item can contain an investigation name, an investigation identification 
number, icons (not shown) to symbolize various aspects of an investigation, and any other 
relevant information, such as dates and/or times. The investigation administration display 
screen 206 can also display statistical information for each category heading 249 such as the 
number of open investigations under the heading 249 and the number of closed investigations 

10 under that heading 249. The investigation administration display screen 206 can also be used 
to display investigation activities by selecting activity view buttons 252. Example display 
views include activities by calendar, activities by investigation, activities by investigator, 
activities by activity type and activities by investigation team. Links 126 as described more 
fully above are also provided to navigate between the various display screens described 

15 herein. 

The investigation administration function logic 200 will store all information related 
to each investigation file each time the investigation database is modified or a new 
investigation file is opened (step 256). 

Referring now to Fig. 10, an information technology policy administration screen 300 

20 is illustrated. The information technology policy administration screen 300 allows the user to 
carry out matters related to the information technology policy administration function briefly 
mentioned above. The screen 300 allows the user to select among and display one or more 
databases of information using view buttons 302. For example, the system 10 administrator 
can select to view investigation support material containing checklists and procedures to be 

25 followed upon the receipt of a security alert, when administering incidents and when 

administering investigations. The information technology policy administration function can 
also be used to store information security policies, standards and procedures relating to all 
aspects of an organization's body of information technology. These policies can be 
individually entered into the database or loaded as entire files supplied by a vendor. 
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A document stored by the information technology policy administration function can 
be reviewed in detail by selecting the document displayed as a line item 304 and then 
selecting a review document button 306 to open a document view window (not illustrated) 
containing the text and/or illustrations of the document. Alternatively, the user can double 
5 click directly on the line item 304. The documents of the information technology policy 

administration function can be indexed based on key words using an indexing tool accessible 
by selecting an index button 308. The index can be subsequently searched using a search tool 
accessible by selecting a search button 310. 

A new policy can be introduced or an existing policy can be changed using a change 

10 policy/new policy button 312. Selecting this button will open a policy administration 

window (not shown) allowing the system 10 administrator to enter the new policy or edit an 
existing policy and then route the new or changed policy for approval by a policy review 
team. The policies can be routed using e-mail, fax, electronic document transfer or other 
similar method. Approval or denial can be made based on written signature, entering a 

15 password or providing a digital signature. Members of the policy review team may also 

provide commentary on the new policies to spawn further discussions and/or changes of the 
policies, if desired. The information technology policy administration function can be 
programmed to send automatic reminders to the members of the policy review team if 
approval, denial or comments have not been received within a specified period of time. The 

20 system 10 administrator can display policies waiting for approval by selecting a policy * 
awaiting approval button 314. The system 1 0 administrator can display commentary on the 
pending policies by policy category, status or author using the discussion buttons 317. 

Once a new policy has been approved or the changes to an existing policy have been 
approved, the system 10 administrator can send a newsletter to all persons to be informed of 

25 the new or changed policy. To accomplish this, the system 10 administrator can select a 
newsletter button 3 1 6 which will provide the system 10 administrator with menus to select 
the recipient(s) of the newsletter, including predefined groups, such as all employees, all 
managers, all staff, and the like, and menus to specify the policy or policies to be presented in 
the newsletter. The newsletter can also be used to send existing policies to selected members 

30 of the organization, such as when a new employee or all employees on a periodic basis. 
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The information technology policy administration screen 300 is also provided with an 
approval profiles button 3 1 8 for displaying an approval group window (not illustrated). The 
approval group window will provide the system 10 administrator with menus to select and/or 
enter the members of various approval teams mentioned herein, such as the persons to 
5 approve the opening of an investigation or the persons to approve a new information 

technology policy, standard or procedure. The system 10 administrator can display and/or 
edit request templates, forms (i.e., investigation or new policy approval forms) used to carry 
out the administration functions of the system 10 described herein. The forms and templates 
can be displayed by type or by the approving party by selecting among request buttons 3 1 9. 

10 The foregoing discussion states that various features and functions of the system 1 0 

can be accessed and carried out by a person with the title of system 10 administrator. It 
should be understood that accessing each of these features and functions can be limited by 
access control techniques, such as passwords and/or digital signatures. One skilled in the art 
will also recognize that the same features and functions are not limited for use by a person 

1 5 given the title of system 1 0 administrator, but can be accessed by any person using the system 
10, either locally or remotely, who has been granted access under the access control 
techniques. 

Preferably, the system 10 is provided with multiple levels of access security. More 
specifically access is controlled on various system 10 levels, such as a database level, a view 

20 level (i.e., display, screen or window) level, a form level, a document level, a document 

portion or section level and a field level. Once logged into the system 10, a user will be able 
to display and work with all material to which he or she has been granted access. Material to 
which the user has not be granted access will be blocked from being displayed, altered, 
viewed, printed and otherwise worked with. In addition, the system 10 is capable of 

25 selectively encrypting database contents at various levels, such as all information stored by 

the database, all information associated with one of the administration functions, a view level, 
a form level, a document level, a document section level and a field level. 

Although the logic routines 50, 100, 150, 200 and 222 (FIGS. 2, 3, 5, 7 and 9) of the 
present invention are embodied in software as discussed above, this logic may alternatively 

30 be embodied in hardware or a combination of software and hardware. If embodied in 
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hardware, the foregoing logic can be implemented as a circuit or state machine that employs 
any one of or a combination of a number of technologies. These technologies may include, 
but are noi limited to, discrete logic circuits having logic gates for implementing various logic 
functions upon an application of one or more data signals, application specific integrated 
circuits having appropriate logic gates, programmable gate arrays (PGA), field programmable 
gate arrays (FPGA), or other components, etc. Such technologies are generally well known 
by those skilled in the art and, consequently, are not described in detail herein. 

The diagrams described herein show the architecture, functionality, and operation of 
an implementation of the foregoing logic. If embodied in software, each block may represent 
a module, segment, or portion of code that contains one or more executable instructions to 
implement the specified logical function(s). If embodied in hardware, each block may 
represent a circuit or a number of interconnected circuits to implement the specified logical 
function(s). Although the block diagrams and flow charts show a specific order of execution, 
it is understood that the order of execution may differ from that which is depicted. For ,^ 
example, the order of execution of two or more blocks may be altered relative to the order 
shown. Also, two or more blocks shown in succession in may be executed concurrently or 
with partial concurrence. In addition, various blocks may be omitted. It is understood that all 
such variations are within the scope of the present invention. 

Also, the logic can be embodied in any computer-readable medium for use by or 
connection with an instruction execution system such as a computer/processor based system 
or other system that can fetch or obtain the logic from the computer-readable medium and 
execute the instructions contained therein. In the context of this document, a 
"computer-readable medium" can be any medium that can contain, store, or maintain logic 
and/or data for use by or in connection with the instruction execution system. The computer 
readable medium can be any one of many physical media such as, for example, electronic, 
magnetic, optical, electromagnetic, infrared, or semiconductor media. More specific 
examples of a suitable computer-readable medium would include, but are not limited to, a 
portable magnetic computer diskette such as floppy disk, a hard disk, a random access 
memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory, 
or a compact disc. 
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Although particular embodiments of the invention have been described in detail, it is 
understood that the invention is not limited correspondingly in scope, but includes all 
changes, modifications and equivalents coming within the spirit and terms of the claims 
appended hereto. 
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CLAIMS 

What is claimed is: 

1 . A method of responding to an information technology related incident, 
comprising the steps of: 

receiving a security alert, the security alert being displayed on an incident response 
and investigation system for analysis by an administrator; 

documenting the incident based on information contained in the security alert; 

opening an investigation file to administrate an investigation of the incident; and 

collecting items of electronic evidence and maintaining the evidence in an electronic 
evidence database associated with the investigation file. 

2. The method according to claim 1, further comprising the step of routing an 
investigation approval form to selected individuals for the individuals to authorize or deny the 
investigation of the incident. 

3. The method according to any of claims 1 to 2, wherein the security alert is an 
electronic transmission, an author of the electronic transmission being anonymous. 

4. The method according to any of claims 1 to 3, further comprising the steps of 
establishing a set of criteria for securing alert handling and acting upon the security alert 
based on the set of criteria. 

5. The method according to claim 4, wherein the step of acting upon the security 
alert is carried out by a computer system. 

6. The method according to any of claims 1 to 5, further comprising the step of 
digitally notarizing at least one item of electronic evidence contained in the electronic 
evidence database. 
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7. The method according to any of claims 1 to 6, further comprising the steps of 
searching a selected electronic mail file for at least one specified word and storing the 
electronic mail file in the electronic evidence database if the at least one specified word is 
present in the electronic mail file. 

8. The method according to any of claims 1 to 7, further comprising the step of 
alerting at least one person that an investigation file has been opened. 

9. The method according to any of claims 1 to 8, further comprising the steps of 
storing a collection of security policies and support guidelines in a database and referring to 
the policies and guidelines to document the incident and administering to the investigation of 
the incident. 

1 0. An incident response and investigation system comprising: 

an incoming security alert administration function for receiving and analyzing security 
alerts, each security alert containing information related to an event, the event being related to 
an information technology policy, standard or procedure of an organization; 

an incident administration function for creating an incident file to document the event; 

and 

an investigation administration function for administering an investigation of the 
event documented in the incident file. 

1 1 . The system according to claim 10, wherein the security alert is electronically 
transmitted to the system anonymously. 

12. The system according to any of claims 10 to 11, wherein the security alert is 
generated by an information technology security device or software tool. 

13. The system according to any of claims 10 to 12, further comprising an 
information technology policy administration function for storing a collection of security 
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policies and support guidelines in a database, the policies and guidelines accessible from the 
incident administration function and the investigation administration function. 

14. The system according to any of claims 10 to 13, wherein the investigation 
administration function includes an electronic authorization function to approve an opening 
of an investigation file. 

15. The system according to any of claims 10 to 14, wherein the investigation 
administration function further includes an electronic evidence database for maintaining, 
organizing and analyzing electronic documents. 

16. The system according to claim 15, wherein the electronic evidence database 
has a digital notarization function for digitally notarizing at least one item of electronic 
evidence contained in the electronic evidence database. 

17. The system according to any of claims 10 to 16, wherein the investigation 
administration function includes an electronic mail search tool for searching a selected 
electronic mail file for at least one specified word and storing the electronic mail file in an 
electronic evidence database if the at least one specified word is present in the electronic mail 
file. 

18. The system according to any of claims 1 0 to 1 7, further comprising an 
investigation alerting tool for alerting at least one person that an investigation file has been 
opened. 
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filed with the letter of 
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preluruLy examination was carried out on the basxs of the sequence hsung. 

□ contained in the international application in printed form. 
Q filed together with the international application in computer readable form. 

□ furnished subsequently to this Authority in written form, 
n furnished subsequently to this Authority in computer readable form. 

H The statement that the subsequently furmshed written sequence listing does not go beyond the d.sclosure m the 

□ interzonal application as filed has been furnished. 

n The statement that the urformauon recorded in computer readable form is tdenuca. to the wr*en sequence hsung has 

I — I been furnished. 
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Q the claims, Nos. NONE 



fx] the drawings, sheets/fig ,_ NONE_ 
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V. Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 



1. statement 

Novelty (N) 



Claims NONE 



Claims *- 18 



Inventive Step (IS) 



Industrial Applicability (IA) 



Claims NONE 
Claims i-is 



1-18 



Claims 
Claims NONE 



YES 
NO 

YES 
NO 



YES 
NO 



2. citations and explanations (Rule 70.7) 

Claims 1-18 lacks an inventive step under PCT Article 35(3) as being anticipated by Boebert et al.(5,864,683). 

As per claims 1 10 Boebert discloses a method of responding to an information technology related incident such as a system 
for secure transfer data between a computer connected to a private network and a remote computer connected to an unsecured 
network ("abstract"], comprising the steps of: 

receiving a computer generated security alert indicative of prohibited activity transpiring between a first and a second 

networked computing device [[col 1 lines 25-52]: 

displaying the security alert on an incident response and investigation system for analysis by an administrator [col 

19 lines ^ e|ectronic documentation of a potential computer network misconduct incident based on information 

contained in the security alert [col 22 lines 5-35, col 25 lines 25-61]; 

opening an electronic investigation file to facilitate administration of an investigation of the potential computer 
network misconduct incident [col 28 lines 28-46]; 

collecting items of electronic evidence relating to the investigation of the potential computer network misconduct 

incident [col 15 lines 24-33]; and ri 
maintaining the electronic evidence in an electronic evidence database associated with the electronic investigation file 

[col 29lines 1-46, col SO lines 27-38]. 

As per claims 2,14 Boebert discloses the step of routing an investigation approval form to at least one selected 
individual for the at least one individual to authorize or deny the investigation of the incident as inherent of trace the source 
of attack and raise an alarm [col 15 lines 24-35, col 19 lines 17-34]. ... 

As per claims 3,11 Boebert discloses the security alert is generated in response to an action of an author, the author 
being anonymous as inherente feature of encryption [col IS lines 37-63]. 

As per claims 4,5 Boebert discloses the steps of establishing a set of criteria for security alert handlmg and (Continued 

on Supplemental Sheet.) 
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Continuation of: Boxes I - VHI 
I. BASIS OF REPORT: \ 

This report has been drawn on the basis of the description, 

page(s) 1-24, as originally filed. 

page(s) NONE, filed with the demand. 

and additional amendments: 

NONE 

This report has been drawn on the basis of the claims, 

page(s) NONE, as originally filed. 

page(s) NONE, as amended under Article 19. 

page(s) NONE, filed with the demand. 

and additional amendments: 

^ 25.26.27/1,27/2. filed with letter of 28 September 2001 

This report has been drawn on the basis of the drawings. 

page(s) 1-10, as originally filed. 

page(s) NONE, filed with the demand. 

and additional amendments: 

NONE 

This report has been drawn on the basis of the sequence listing part of the description: 

page(s) NONE, as originally filed. 

pages(s) NONE, filed with the demand. 

and additional amendments: 

NONE 

V 2. REASONED STATEMENTS - CITATIONS AND J"^^^^ [col 1 lines 25-33]. 
acting upon the security alert based on the set f «^S^SH^^ *» * **** — f ™i° r 
As per claims 6,16. Boebert discloses the electromcev^nc* oau database [col 29 lines 1-461. 

digitally notarizing at least one item of ^^^^S^SS^ includes an electronic mail search too, 
As per claims 7,17, and storing the electronic mail file in an electron, 

for searching a selected electrons mad ^J^^^^ electronic mail file [col 29 lines 1-461. 
evidence « the 2*72* at least on person that an investigation file has been opened 

such as breach security [col 9 lines 12-28] and security r .tarml [col 12 ^hnes4* ^ and rt ^lines in a 

As per claim 9, Boebert disclose^ the aeps o ^S^S*- and administering to the investigation of 
database and referring to the policies and guidelines when Qocum K 

the incidence, ^X^Sc^ ^ eLty alert is generated by an information technology security device or 

software tool [col 12 lines 43-59] informa tion technology policy administration means for storing a collection of 

As per claim 13, Boebert d.scloses an ^^^^^1^ accessible from the incident adm.nistrat.on 
security policies and support guidelines in a database ^ the pol fg^i , x lines 25 . 33 ]. 

— a r;r^^^ «r m ^r des an eleclr0MC au ~ means 

=^i^ ~* co1 28 - 28 - 451 - 



NEW CITATIONS 
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CLAIMS 



What is claimed is: 



1. 



A method of responding to an information technology related incident, 



comprising the steps of: 

receiving a computer generated security alert indicative of prohibited activity 
transpiring between a first and a second networked computing device; 

displaying the security alert on an incident response and investigation system for 
analysis by an administrator; 

creating an electronic documentation of a potential computer network misconduct 
incident based on information contained in the security alert; 

opening an electronic investigation file to facilitate administration of an investigation 
of the potential computer network misconduct incident; 

collecting items of electronic evidence relating to the investigation of the potential 
computer network misconduct incident; and 

maintaining the electronic evidence in an electronic evidence database associated with 
the electronic investigation file. 

2. The method according to claim 1 , further comprising the step of routing an 
investigation approval form to at least one selected individual for the at least one individual to 
authorize or deny the investigation of the incident. 

3. The method according to any of claims 1 to 2, wherein the security alert is 
generated in response to an action of an author, the author being anonymous. 

4. The method according to any of claims 1 to 3, further comprising the steps of 
establishing a set of criteria for security alert handling and acting upon the security alert based 
on the set of criteria. 
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5. The method according to claim 4, wherein the step of acting upon the security 
alert is carried out by a computer system. 

6. The method according to any of claims 1 to 5, further comprising the step of 



evidence database. 

7. The method according to any of claims 1 to 6, further comprising the steps of 
searching a selected electronic mail file for at least one specified word and storing the 
electronic mail file in the electronic evidence database if the at least one specified word is 
present in the electronic mail file. 

8. The method according to any of claims 1 to 7, further comprising the step of 
alerting at least one person that an investigation file has been opened. 

9. The method according to any of claims 1 to 8, further comprising the steps of 
storing a collection of security policies and support guidelines in a database and referring to 
the policies and guidelines when documenting the incident and administering to the 
investigation of the incident. 

10. An information technology incident response and investigation system 
comprising: 

an incoming security alert administration means for receiving a computer generated 
security alert indicative of prohibited activity transpiring between a first and a second 
networked computing device; 

a display for displaying the security alert for analysis by an administrator; 

an incident administration means for creating an electronic incident file to document a 
potential computer network misconduct incident based on information contained in the 
security alert; and 



digitally notarizing at least one item of electronic evidence contained in the electronic 
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an investigation administration means for opening an electronic investigation file to 
facilitate administration of an investigation of the potential computer network misconduct 
incident documented in the incident file. 

i 1 . The system according to claim 10, wherein the security alert is generated in 
response to an action of an author, the author being anonymous. 

12. The system according to any of claims 10 to 11, wherein the security alert is 
generated by an information technology security device or software tool. 

13. The system according to any of claims 10 to 12, further comprising an 
information technology policy administration means for storing a collection of security 
policies and support guidelines in a database, the policies and guidelines accessible from the 
incident administration means and the investigation administration means. 

14. The system according to any of claims 10 to 13, wherein the investigation 
administration means includes an electronic authorization means to approve an opening of an 
investigation file. 

15. The system according to any of claims 10 to 14, wherein the investigation 
administration means includes an electronic evidence database means associated with the 
electronic investigation file for maintaining items of electronic evidence relating to the 
investigation of the potential computer network misconduct incident. 

16. The system according to claim 15, wherein the electronic evidence database 
means has a digital notarization function for digitally notarizing at least one item of electronic 
evidence contained in the electronic evidence database. 
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17. The system according to any of claims 10 to 16, wherein the investigation 
administration means includes an electronic mail search tool for searching a selected 
electronic mail file for at least one specified word and storing the electronic mail file in an 
electronic evidence database if the at least one specified word is present in the electronic mail 



18. The system according to any of claims 10 to 17, further comprising an 
investigation alerting tool for alerting at least one person that an investigation file has been 
opened. 
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I. BASIS OF REPORT: 

This report has been drawn on the basis of the description, 

page(s) 1-24, as originally filed. 

page(s) NONE, filed with the demand. 

and additional amendments: 

NONE 

This report has been drawn on the basis of the claims, 

page(s) NONE, as originally filed. 

page(s) NONE, as amended under Article 19. 

page(s) NONE, filed with the demand. 

and additional amendments: 

Pages 25,26,27/1,27/2, filed with letter of 28 September 2001. 

This report has been drawn on the basis of the drawings , 

page(s) 1-10, as originally filed. 

page(s) NONE, filed with the demand. 

and additional amendments: 

NONE 

This report has been drawn on the basis of the sequence listing part of the description: 

page(s) NONE, as originally filed. 

pages(s) NONE, filed with the demand. 

and additional amendments: 

NONE 



V. 2. REASONED STATEMENTS - CITATIONS AND EXPLANATIONS (Continued): 
security alert based on the set of criteria as inherent feature of security policy [col 1 lines 25-33]. 

As per claim 9, Boebert discloses the steps of storing a collection of security policies and support guidelines in a 
database and referring to the policies and guidelines when documenting the incident and administering to the investigation of 
the incident [col 15 lines 24-35, col 28 lines 28-45]. 

As per claim 13, Boebert discloses an information technology policy administration means for storing a collection of 
security policies and support guidelines in a database, the policies and guidelines accessible from the incident administration 
means and the investigation administration means as inherent feature of security policy [col 1 lines 25-33] . 

As per claim 14, Boebert discloses the investigation adininistration means includes an electronic authorization means 
to approve an opening of an investigation file [col 15 lines 24-35, col 28 lines 28-45]. 

As per claim 15, Boebert discloses the investigation administration means includes an electronic evidence database 
means associated with the electronic investigation file for m aintainin a items of electronic evidence relating to the 
investigation of the potential computer network misconduct incident [col 15 lines 24^35, col 28 lines 28-45]. 

As per claim 16, Boebert discloses the electronic evidence database means has a digital notarization function for 
digitally notarizing at least one item of electronic evidence contained in the electronic evidence database [col 29 lines 1 -46] 

As per claim 17, Boebert discloses the investigation administration means includes an electronic mail search tool for 
searching a selected electronic mail file for at least one specified word and storing the electronic mail file in an electronic 
evidence database if the at least one specified word is present in the electronic mail file [col 29 lines 1-46]. 



NEW CITATIONS — - 

US 5,864,683 A (BOEBERT et al) 26 JANUARY 1999 
US 4,672,572 A (ALSBERG) 09 JUNE 1987 
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V. Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 



1. statement 

Novelty (N) 



Claims NONE 



Claims 1-11,13-17 



YES 
NO 



Inventive Step (IS) 



Claims 
Claims 



NONE 



1-11,13-17 



YES 
NO 



Industrial Applicability (IA) Claims i-ii.ia-17 YES 

Claims NONE no 



2. citations and explanations (Rule 70.7) 

Claims 1-11,13-17 lacks an inventive step under PCT Article 33(3) as being obvious over Boebert et a!. (5, 864,683). 

As per claims 1,10 Boebert discloses a method of responding to an information technology related incident such as a system 
for secure transfer data between a computer connected to a private network and a remote computer connected to an unsecured 
network [[abstract], comprising the steps of: 

receiving a computer generated security alert indicative of prohibited activity transpiring between a first and a second 
networked computing device Qcol 1 lines 25-52]: 

displaying the security alert on an incident response and investigation system for analysis by an administrator [col 
19 lines 1-34]; 

creating an electronic documentation of a potential computer network misconduct incident based on information 
contained in the security alert [[col 22 lines 5-35, col 25 lines 25-61]; 

opening an electronic investigation file to facilitate administration of an investigation of the potential computer 
network misconduct incident [[col 28 lines 28-46]; 

collecting items of electronic evidence relating to the investigation of the potential computer network misconduct 
incident [[col 15 lines 24-33]; and 

maintaining the electronic evidence in an electronic evidence database associated with the electronic investigation file 
Qcol 29lines 1-46, col SO lines 27-38]. 

As per claim 2, Boebert discloses the step of routing an investigation approval form to at least one selected individual 
for the at least one individual to authorize or deny the investigation of the incident as inherent of trace the source of attack 
and raise an alarm [[col 15 lines 24-35, col 19 lines 17-34]. 

As per claims 3,11 Boebert discloses the security alert is generated in response to an action of an author, the author 
being anonymous as inherente feature of encryption [[col 13 lines 37-63]. 

As per 4, Boebert discloses the steps of establishing a set of criteria for security alert handling and acting upon the 
(Continued on Supplemental Sheet.) 
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VII. Certain defects in the international application 



The following defects in the form or contents of the international application have been noted: 

Claims 13-17 are objected to under PCT Rule 66.2(a)(iii) as containing the following defect(s) in the form or contents thereof: 
Claim 12 is missing.Thus claims 13-17 renumber to 12-16. Correction is required. 
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